Tool Enhancement
Security checks across malware telemetry and agentic risk
Overview
This skill is an openly powerful tool suite, but it gives an agent broad file, shell, Git, memory, MCP, and sub-agent authority with weak boundaries and includes unsafe dynamic code execution patterns.
Install only if you want OpenClaw to have a very powerful local-automation toolkit. Before use, disable or gate shell/sudo/background/process-kill, recursive delete, Git push, dynamic discovery, eval-based features, memory reuse, and MCP calls unless you understand and approve each action.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes this tool incorrectly or on manipulated instructions, it could run destructive commands, expose files, start unwanted services, or alter the local machine.
The shell tool accepts an arbitrary command string and runs it through a shell. The code only blocks a few hard-coded dangerous strings, which does not meaningfully contain shell risk.
command = kwargs.get("command") ... process = await asyncio.create_subprocess_shell(command, ...)Only install if you intentionally want the agent to have shell access. Add explicit user approval, workspace/cwd restrictions, safer command allowlists, and disable sudo/background/process-kill functions unless required.
A mistaken or hijacked tool call could delete important local directories or project files.
The file deletion tool can recursively remove arbitrary directories provided by the caller, with no evidence of path scoping, recycle/backup behavior, or confirmation in the shown implementation.
if p.is_dir():
if recursive:
shutil.rmtree(p)Restrict file operations to an approved workspace, require confirmation for delete/overwrite/move actions, and add dry-run or backup behavior for recursive deletion.
A normal-looking regex edit could overwrite a file with only the replacement text, causing data loss.
For regex edits when global replacement is false, the code appears to substitute against new_text instead of the original file content, then writes the result back to the file. This can unexpectedly clobber a file.
new_content = pattern.sub(new_text, content if global_replace else new_text, count=0 if global_replace else 1)
...
with open(path, "w", encoding="utf-8") as f:
f.write(new_content)Fix the regex edit logic, add tests, show a diff before writing, and preserve backups before modifying files.
A crafted expression could potentially run code with the user's local permissions.
The static scan identifies direct eval use, and the inline comment acknowledges that production code should use AST parsing instead. If expression is user-controlled, this can execute arbitrary Python.
result = eval(expression) # 注意:生产环境应该用 ast 解析
Remove eval, replace it with safe parsing such as ast.literal_eval or a constrained expression evaluator, and validate all inputs before execution.
Simply discovering tools could execute untrusted local code.
The discovery feature executes Python modules found in local tool directories, including the current working directory's tools folder. A malicious or unexpected .py file in those locations would run during discovery.
self.discover_paths = [Path.home() / ".openclaw" / "tools", Path.cwd() / "tools"] ... spec.loader.exec_module(module)
Require explicit approval before loading discovered modules, restrict discovery paths, verify signatures or trusted manifests, and avoid executing arbitrary files during enumeration.
The agent may be able to perform privileged system changes or push code to remote repositories under the user's identity.
The skill advertises privileged shell execution and remote Git pushes, which can use the user's local privileges or configured Git credentials, but the metadata declares no credential/config boundaries and the documentation does not show approval requirements.
`shell_sudo` | 提权执行 ... `git_push` | 推送到远程
Disable sudo and remote-mutating Git tools by default, require explicit user approval for each privileged/account action, and document exactly which local credentials or profiles may be used.
Information saved to memory could influence later agent behavior or expose sensitive notes if not managed carefully.
The skill includes persistent or reusable memory features. This is aligned with the advertised purpose, but the provided documentation does not describe storage location, retention, deletion, or how remembered content is trusted later.
`memory_remember` | 存储记忆 ... `memory_recall` | 检索记忆 ... `memory_context` | 上下文记忆
Document memory storage and deletion controls, avoid storing secrets, and require user review before reusing remembered content for sensitive tasks.
Calls to MCP servers could share task context or invoke external tools depending on the configured servers.
The skill exposes MCP discovery, tool calls, resources, and prompts. This is purpose-aligned, but the provided artifacts do not describe MCP server identity checks, permission boundaries, or data-sharing limits.
`mcp_discover` | 发现MCP服务 ... `mcp_call` | 调用MCP工具 ... `mcp_resource` | 访问MCP资源
Use only trusted MCP servers, review what data is sent to them, and require confirmation before invoking MCP tools that read private data or mutate state.
The agent could delegate work that continues in the background or acts on broad tool authority without clear user oversight.
The agent_spawn tool starts asynchronous sub-agent work from a prompt. This is advertised behavior, but the provided code and documentation do not show strong containment, permission separation, or user approval boundaries for delegated tasks.
asyncio.create_task(self._run_agent(task_id, timeout))
Require explicit approval for sub-agent creation, limit sub-agent permissions, show active tasks clearly, and provide reliable cancellation and audit logs.